“Identity Standards Updates – FIDO”

Brett McDowell, Executive Director, FIDO Alliance brett@fidoalliance.org

1

AGENDA

2

The Problem

The Solution

The Alliance

Updates

783 data breaches in 2014

Data Breaches…

>1 billion records since 2012

3

$3.5 million cost/breach

“76% of 2012 network

intrusions exploited weak

or stolen credentials” 2013 Data Breach Investigations Report 4

The world has a PASSWORD PROBLEM

5

ONE-TIME PASSCODES Improve security but aren’t easy enough to use

Still Phishable

User Confusion

Token Necklace

SMS Reliability

6

WE NEED A NEW MODEL

7

WE CALL OUR NEW MODEL

Fast IDentity Online online authentication using

public key cryptography

8

9

AGENDA

The Problem

The Solution

The Alliance

Updates

THE OLD PARADIGM

10

USABILITY SECURITY

THE FIDO PARADIGM

11

Poor Easy

We

ak

Str

on

g

USABILITY

SEC

UR

ITY

™

12

HOW OLD AUTHN WORKS

ONLINE

The user authenticates themselves online by presenting

a human-readable secret

13

HOW FIDO AUTHN WORKS

AUTHENTICATOR

LOCAL ONLINE

The user authenticates “locally” to their device

by various means

The device authenticates the user online using

public key cryptography

online authentication using public key cryptography

14

Passwordless Experience (UAF Standards)

Second Factor Experience (U2F Standards)

15 *There are other types of authenticators

Second Factor Challenge

1

Authenticated Online

3

Insert Dongle* / Press Button

2

Biometric Verification*

2

Authentication Challenge

1

?

Authenticated Online

3

FIDO Registration

16

Invitation Sent New Keys Created

Pubic Key Registered With Online Server

User is in a Session Or

New Account Flow

1 2 3

4

Registration Complete

User Approval

17

Login Complete

FIDO Authentication

FIDO Challenge Key Selected & Signs

Signed Response verified using Public Key Cryptography

User needs to login or authorize a transaction

1 2 3

4

User Approval

18

FIDO UAF UNIVERSAL AUTHENTICATION FRAMEWORK

AUTHENTICATOR

Same User as enrolled before?

Same Authenticator as registered before?

19

THE BUILDING BLOCKS FIDO USER DEVICE RELYING PARTY

WEB SERVER

FIDO SERVER

TLS Server Key

BROWSER/APP

FIDO AUTHENTICATOR

FIDO CLIENT

ASM

Authentication Private Keys

Attestation Private Keys

Cryptographic Authentication

Public Keys DB

FIDO

Authenticator Metadata

& Attestation Trust Store

UPDATE

20

FIDO Server FIDO Authenticator

Metadata

Signed

Attestation

Object

Verify Trust Anchor

(Available from

Metadata Service or

Other Source)

Understand Authenticator Characteristic

(Using Info From Metadata or Other Source)

ATTESTATION & METADATA

21

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 1

22

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 2

23

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 3

24

UAF AUTHENTICATION

DEMO EXAMPLE

STEP 4

25

FIDO U2F UNIVERSAL 2ND FACTOR

AUTHENTICATOR

USER VERIFICATION FIDO AUTHENTICATION

Same authenticator as registered

before?

Is a user present?

Same user as enrolled

before?

26

Step 1 U2F AUTHENTICATION DEMO EXAMPLE

27

Step 2 U2F AUTHENTICATION DEMO EXAMPLE

28

Step 3 U2F AUTHENTICATION DEMO EXAMPLE

29

Step 4 U2F AUTHENTICATION DEMO EXAMPLE

+Bob

USABILITY, SECURITY and

PRIVACY 30

31

No 3rd Party in the Protocol

No Secrets on the Server side

Biometric Data (if used) Never Leaves Device

No Link-ability Between Services

No Link-ability Between Accounts

Better Security for online services

Reduced cost for the enterprise

Simpler and Safer for consumers 32

33

AGENDA

The Problem

The Solution

The Alliance

Updates

The Fast IDentity Online (FIDO)

Alliance is an open industry

association of over 220 global

member organizations

34

Board Members

35

Services/Networks

Devices/Platforms Vendors/Enablers

35 35 35

FIDO Alliance Mission

Develop Specifications

Operate Adoption Programs

Pursue Formal Standardization

36

1 2 3

37

Physical-to-digital identity

User Management

Authentication

Federation

Single

Sign-On

Passwords Risk-Based Strong

MODERN

AUTHENTICATION

FIDO SCOPE

38

AGENDA

The Problem

The Solution

The Alliance

Updates

FIDO TIMELINE

39

FIDO 1.0 FINAL First

Deployments Specification Review Draft

FIDO Ready Program

Alliance Announced

FEB 2013

6 Members

DEC 2013

FEB 2014

FEB-OCT 2014

DEC 9 2014

MAY 2015

TODAY >220

Members

Broad Adoption

JUNE 2015

Certification Program

New U2F Transports

40

“PayPal and Samsung Enable Consumer Payments with Fingerprint Authentication on New Samsung Galaxy S5”, Feb 24, 2014

“Secure Consumer Payments Enabled for Alipay Customers with Easy-to-Use Fingerprint Sensors on Recently-Launched Samsung Galaxy S5”, September 17, 2014

“Google Launches Security Key, World’s First Deployment of Fast Identity Online Universal Second Factor (FIDO U2F) Authentication”, October 21, 2014

2014 FIDO ADOPTION

41

“Microsoft Announces FIDO Support Coming to Windows 10” Feb 23, 2015

“Qualcomm launches Snapdragon fingerprint scanning technology”, March 2, 2015

“Google for Work announced Enterprise admin support for FIDO® U2F “Security Key”, April 21, 2015

“Largest mobile network in Japan becomes first wireless carrier to enhance customer experience with natural, simple and strong ways to authenticate to DOCOMO’s services using FIDO standards” May 26, 2015

2015 FIDO ADOPTION “Today, we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.” August 12, 2015

“As part of the bank’s ongoing commitment to staying ahead of advancements in mobile device authentication, the technology supporting fingerprint sign-in was built according to FIDO (Fast IDentity Online) standards.” September 15, 2015

42

Deployments are enabled by

FIDO Certified™ Products available today

43

44

45

Available to anyone Ensures interoperability Promotes the FIDO ecosystem Steps to certification:

1. Conformance Self-Validation 2. Interoperability Testing 3. Certification Request 4. Trademark License (optional)

NEXT EVENT: October 5th (U2F) fidoalliance.org/certification

Government Members

46

Announced June 9

46 46 46

FIDO Alliance Announces Government Membership Program – US and UK Government Agencies are First to Join

Government Agencies to Participate in Development of FIDO Standards for

Universal Strong Authentication

“The fact that FIDO has now welcomed government participation is a logical and exciting step toward further advancement of the Identity Ecosystem; we look forward to continued progress.”

What’s Next?

47

FIDO Alliance Mission

Develop Specifications

FIDO 2.0 Technology Working Group The mission of the new FIDO 2.0 Specification Technology Working Group is to consider future requirements, and to ensure widespread interoperability within the authentication ecosystem among devices, clients, and servers.

48

1

FIDO Alliance Mission

Operate Adoption Programs

49

2

FIDO Certification™ Program Investigating the need/feasibility of adding “security” and “biometrics” testing

FIDO UAF Metadata Service Formal launch of the UAF Metadata Service following current “soft launch”

FIDO Alliance Liaison Program Launched new program with streamlined process to foster collaboration

FIDO Marketing & Education Programs More webinars, seminars, conference talks, and targeted outreach – esp. in APAC

FIDO Alliance Mission

Pursue Formal Standardization

50

3

Submit mature technical Specification(s) to recognized SDO’s… • We will evaluate maturity for this purpose after more deployments • We will use the Liaison Program to collaborate with SDO’s ongoing

JOIN THE FIDO ECOSYSTEM

51

JOIN THE FIDO ALLIANCE

52

EXPERIENCE SIMPLER, STRONGER AUTHENTICATION

53